At which network layer should we handle security of in-flight data? Some argue the application layer is most appropriate because this is where the user’s personal data, semantics and security requirements reside. Others argue that security should start in the network and physical layers, protecting even the protocol information involved in moving data — implementing encryption as deeply as possible, even at Layer 1. This is particularly true for Internet of Things (IoT) traffic where data generated is never at rest.
Depending on security requirements, both are correct. Security at different levels can be complementary and collectively enhance security. Cybercrime is now costing companies over $400 billion annually. According to Gemalto’s breach level index, since 2013, security breaches have resulted in the loss or theft of an estimated 5.9 billion data records from enterprises worldwide. That’s about 47 records every second. Of course, if records are encrypted, stolen information is useless. But that is only happening 4% of the time! So, while application layer security is a great idea, other layers of protection are also needed.
Regulated industries, such as healthcare and financial services, suffer the most costly data breaches due to fines and a higher-than-average rate of lost business. Last year, the average cost per incident was $4 million, according to a 2016 Poneman Institute study. Organizations recognize that the longer it takes to detect and contain a data breach the more costly it becomes to resolve.
Enterprises have traditionally relied on perimeter security in the form of firewalls, DMZs and other technologies. However, as they turn increasingly to cloud-based enterprise services, perimeter security is no longer sufficient. Their enterprise-critical data is distributed far beyond the organization’s boundaries. But doesn’t this evolution from enterprise perimeter security to wide-area networking and cloud services increase the degree of risk for enterprises?
Contrary to some opinion, this move to the cloud is likely to make most enterprises more secure. It is important to remember that Layer 1 security starts with ensuring the physical security of all the various network elements and facilities. Communication Service Providers (CSPs) and cloud providers are better equipped than most enterprises to ensure the physical security of their infrastructure, yielding an improvement to overall security. CSP network elements, for instance, are more tamper-resistant and difficult to deactivate or bypass than their enterprise counterparts. Also, the CSP can ensure the availability of network services with a robust assurance function that can provide the enterprise customer with much greater security than the typical enterprise network provides. It is a similar situation in cloud data centers.
With better physical security for network infrastructure and higher availability and uptime for network resources, the next level of protection is through network traffic encryption. Best practices call for a holistic security approach that includes a multi-layered, “defense-in-depth” strategy.
Encryption is costly at higher network layers. Layer 1 encryption reduces the cost per encrypted bit by integrating the encryption function into the transport system. Encryption at higher layers also adds significant overhead and data stream latency. In contrast, Layer 1 encryption adds almost no additional overhead or latency to the transport process. Hardware-based Layer 1 encryption solutions enable very high bandwidth with encryption of 10 or 100 Gbps wire speeds and higher. This is especially critical for services that require real-time traffic management to uphold service level agreement (SLA) requirements for application disk access and rich content delivery such as video and voice calls.
Of course, the encryption algorithm must rely on strong, quality keys. For “top secret” data requiring 256-bit strength, a strong AES-256 algorithm with 256-bit key size should be used. And the keys should come from a key generator that produces a truly random, quality key to match the strength of the encryption algorithm.
Key management, exchange and authentication can be labor-intensive and cumbersome when there are many separate encryption devices and encryption streams to manage. By centralizing key management, the CSP can ensure a single point of trust and consistent policy enforcement. It also streamlines administration by allowing updates to be made once, and cascaded automatically across the network. This enables single-point key revocation and one-point-to-force, multi-tenant synchronized key rotations.
Enterprises should feel more confident about distributing their applications across the wide area and utilizing cloud-based services. The new distributed, cloud model is changing many aspects of our digital world, perhaps none more so than the key role that CSPs play to provide a global, scalable and secure platform for the connection of everything to everything. Layer 1 security is the foundation for confidence and trust in securing data while in-flight.